I'm sorry, the version of my suricata codes is 1.3.5, I just download a 1.4 version codes£¬the bug was repaired!<br><br> Thank you!<br><br><div class="gmail_quote">2013/1/12 <span dir="ltr"><<a href="mailto:oisf-users-request@openinfosecfoundation.org" target="_blank">oisf-users-request@openinfosecfoundation.org</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Oisf-users mailing list submissions to<br>
<a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:oisf-users-request@openinfosecfoundation.org">oisf-users-request@openinfosecfoundation.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:oisf-users-owner@openinfosecfoundation.org">oisf-users-owner@openinfosecfoundation.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Oisf-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: Suricata 1.4 simple alert rule, first visit to website<br>
not triggering an alert (Vincent Fang)<br>
2. Re: Suricata 1.4 simple alert rule, first visit to website<br>
not triggering an alert (Anoop Saldanha)<br>
3. Re: Is this a bug? (Victor Julien)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Thu, 10 Jan 2013 16:30:20 -0500<br>
From: Vincent Fang <<a href="mailto:vincent.y.fang@gmail.com">vincent.y.fang@gmail.com</a>><br>
To: Eoin Miller <<a href="mailto:eoin.miller@trojanedbinaries.com">eoin.miller@trojanedbinaries.com</a>><br>
Cc: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Subject: Re: [Oisf-users] Suricata 1.4 simple alert rule, first visit<br>
to website not triggering an alert<br>
Message-ID:<br>
<CAMTbqJVxgq=fUfG2=3GTtjoLEVVXfTnpEAMDmEKWK=<a href="mailto:AjnPu0Qw@mail.gmail.com">AjnPu0Qw@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
Response to Peter Manav:<br>
<br>
Immediately after the first visit when I stop suricata, the logs stay the<br>
same with fast.log being at 0 bytes with no alerts along with unified2. A<br>
weird thing I'm noticing is that the http.log is also at 0 bytes as well<br>
even though I see get requests being made and passing through wireshark.<br>
<br>
I then saved the pcap file called businessweek from wireshark and cleared<br>
the logs again and ran suricata in offline pcap mode with the following<br>
command<br>
suricata -c /pathtoyaml/suricata.yaml -r /pathtopcap/businessweek<br>
<br>
and the resulting logs were the same, 0 bytes in the fast.log and 0 bytes<br>
in the http.log<br>
<br>
Response to rmkml:<br>
<br>
I tried with wget and the same situation occurs with with the fast.log<br>
being 0. I also tried clearing the google cache and restarting the test<br>
again, and the same result occurred. I switched browsers to firefox and<br>
cleared the cache however, and alerts started popping up in the fast.log,<br>
but only if I cleared the cached after already visiting the webpage once,<br>
otherwise fast.log would never populate.<br>
<br>
The thing that confuses me is what am I seeing in wireshark if it sees http<br>
packets matching the destination ip address? Or because it's all running on<br>
a local box, a special scenario occurs?<br>
<br>
<br>
Response to Eoin Miller:<br>
<br>
Changing the rule to tcp did not affect the outcome, and wiresharks didn't<br>
match the filter<br>
tcp && ip.dst == <a href="http://207.86.164.0/24" target="_blank">207.86.164.0/24</a><br>
<br>
<br>
So it looks like I get the correct results with Firefox if the cache is<br>
cleared, but what exactly is going on if I see matching http packets in<br>
wireshark with the matching ip destination?<br>
<br>
<br>
<br>
NOTE: Sorry for the spam, if someone could clean up the mail archive, I'm<br>
not use to this mailing list.<br>
<br>
<br>
On Thu, Jan 10, 2013 at 3:37 PM, Eoin Miller <<br>
<a href="mailto:eoin.miller@trojanedbinaries.com">eoin.miller@trojanedbinaries.com</a>> wrote:<br>
<br>
> On 1/10/2013 20:34, Eoin Miller wrote:<br>
> > On 1/10/2013 19:57, Vincent Fang wrote:<br>
> >><br>
> >> alert http any any -> <a href="http://207.86.164.0/24" target="_blank">207.86.164.0/24</a> <<a href="http://207.86.164.0/24" target="_blank">http://207.86.164.0/24</a>> any<br>
> (msg:<br>
> >> "visiting businessweek")<br>
> ><br>
> > Maybe try alert tcp instead of alert http.<br>
> ><br>
> > -- Eoin<br>
><br>
> alert ip might even be better.<br>
><br>
> -- Eoin<br>
><br>
><br>
><br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130110/2728d4f6/attachment-0001.html" target="_blank">http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130110/2728d4f6/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Fri, 11 Jan 2013 09:23:07 +0530<br>
From: Anoop Saldanha <<a href="mailto:anoopsaldanha@gmail.com">anoopsaldanha@gmail.com</a>><br>
To: Vincent Fang <<a href="mailto:vincent.y.fang@gmail.com">vincent.y.fang@gmail.com</a>><br>
Cc: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Subject: Re: [Oisf-users] Suricata 1.4 simple alert rule, first visit<br>
to website not triggering an alert<br>
Message-ID:<br>
<<a href="mailto:CAJK8jKEvZXd8TusftE8FO5pcSGy3WmhnFmaBSJD4SQLmOhSxzw@mail.gmail.com">CAJK8jKEvZXd8TusftE8FO5pcSGy3WmhnFmaBSJD4SQLmOhSxzw@mail.gmail.com</a>><br>
Content-Type: text/plain; charset=UTF-8<br>
<br>
Have you checked the dst ip is the same as the one specified in your<br>
rule? With load-balancing the dns can resolve to different ip<br>
addresses.<br>
<br>
On Fri, Jan 11, 2013 at 3:00 AM, Vincent Fang <<a href="mailto:vincent.y.fang@gmail.com">vincent.y.fang@gmail.com</a>> wrote:<br>
> Response to Peter Manav:<br>
><br>
> Immediately after the first visit when I stop suricata, the logs stay the<br>
> same with fast.log being at 0 bytes with no alerts along with unified2. A<br>
> weird thing I'm noticing is that the http.log is also at 0 bytes as well<br>
> even though I see get requests being made and passing through wireshark.<br>
><br>
> I then saved the pcap file called businessweek from wireshark and cleared<br>
> the logs again and ran suricata in offline pcap mode with the following<br>
> command<br>
> suricata -c /pathtoyaml/suricata.yaml -r /pathtopcap/businessweek<br>
><br>
> and the resulting logs were the same, 0 bytes in the fast.log and 0 bytes in<br>
> the http.log<br>
><br>
> Response to rmkml:<br>
><br>
> I tried with wget and the same situation occurs with with the fast.log being<br>
> 0. I also tried clearing the google cache and restarting the test again, and<br>
> the same result occurred. I switched browsers to firefox and cleared the<br>
> cache however, and alerts started popping up in the fast.log, but only if I<br>
> cleared the cached after already visiting the webpage once, otherwise<br>
> fast.log would never populate.<br>
><br>
> The thing that confuses me is what am I seeing in wireshark if it sees http<br>
> packets matching the destination ip address? Or because it's all running on<br>
> a local box, a special scenario occurs?<br>
><br>
><br>
> Response to Eoin Miller:<br>
><br>
> Changing the rule to tcp did not affect the outcome, and wiresharks didn't<br>
> match the filter<br>
> tcp && ip.dst == <a href="http://207.86.164.0/24" target="_blank">207.86.164.0/24</a><br>
><br>
><br>
> So it looks like I get the correct results with Firefox if the cache is<br>
> cleared, but what exactly is going on if I see matching http packets in<br>
> wireshark with the matching ip destination?<br>
><br>
><br>
><br>
> NOTE: Sorry for the spam, if someone could clean up the mail archive, I'm<br>
> not use to this mailing list.<br>
><br>
><br>
> On Thu, Jan 10, 2013 at 3:37 PM, Eoin Miller<br>
> <<a href="mailto:eoin.miller@trojanedbinaries.com">eoin.miller@trojanedbinaries.com</a>> wrote:<br>
>><br>
>> On 1/10/2013 20:34, Eoin Miller wrote:<br>
>> > On 1/10/2013 19:57, Vincent Fang wrote:<br>
>> >><br>
>> >> alert http any any -> <a href="http://207.86.164.0/24" target="_blank">207.86.164.0/24</a> <<a href="http://207.86.164.0/24" target="_blank">http://207.86.164.0/24</a>> any<br>
>> >> (msg:<br>
>> >> "visiting businessweek")<br>
>> ><br>
>> > Maybe try alert tcp instead of alert http.<br>
>> ><br>
>> > -- Eoin<br>
>><br>
>> alert ip might even be better.<br>
>><br>
>> -- Eoin<br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
>> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
>> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>> OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
<br>
<br>
<br>
--<br>
Anoop Saldanha<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Fri, 11 Jan 2013 11:09:57 +0100<br>
From: Victor Julien <<a href="mailto:lists@inliniac.net">lists@inliniac.net</a>><br>
To: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Subject: Re: [Oisf-users] Is this a bug?<br>
Message-ID: <<a href="mailto:50EFE4F5.1080303@inliniac.net">50EFE4F5.1080303@inliniac.net</a>><br>
Content-Type: text/plain; charset=UTF-8<br>
<br>
On 12/29/2012 03:05 AM, ??? wrote:<br>
> Hello:<br>
> I am reading suricata codes recently, I think the fisrt<br>
> "ACTION_REJECT_BOTH" should change to "ACTION_REJECT_DST" in<br>
> util-action.c file ActionOrderVal function line 56.<br>
<br>
This is the code:<br>
<br>
if( (action & ACTION_REJECT) ||<br>
(action & ACTION_REJECT_BOTH) ||<br>
(action & ACTION_REJECT_DST)) {<br>
action = ACTION_REJECT;<br>
}<br>
<br>
How do you think it should be different? If ACTION_REJECT_BOTH would be<br>
changed to ACTION_REJECT_DST the latter would appear twice.<br>
<br>
Cheers,<br>
Victor<br>
<br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
<br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
<br>
End of Oisf-users Digest, Vol 38, Issue 8<br>
*****************************************<br>
</blockquote></div><br>